Threat Research

OpenClaw: Hits the ground running, with security lagging behind

GDataSecurity
OpenClaw: Hits the ground running, with security lagging behind

OpenClaw is an open-source agentic AI that links multiple actions to automate tasks like booking tickets, processing emails, and sending messages, and it can be extended via user-created “skills” and external LLMs such as ChatGPT and Claude. Because much of its code was generated by AI and remains largely unreviewed, malicious skills (including infostealers and prompt-injection attacks), excessive token consumption, and the need to grant broad access (sometimes admin-level) create significant security and financial risks—projects now cooperate with VirusTotal to scan for malicious skills. #OpenClaw #VirusTotal

Keypoints

  • OpenClaw is an open-source “agentic AI” that chains multiple actions to perform complex tasks automatically.
  • Most of OpenClaw’s code was generated by AI quickly (“vibe coding”) and reportedly not fully reviewed by its developer, raising security concerns.
  • OpenClaw supports a Skills Marketplace where third-party skills (including malicious ones) can be added, enabling expanded functionality or abuse.
  • Malicious skills such as infostealers and prompt injection can exfiltrate credentials, payment information, or access tokens from users who grant the agent broad access.
  • Running OpenClaw with administrator privileges or granting full account access multiplies risk, potentially exposing cloud-stored data and enabling financial loss.
  • Mitigations include isolating experiments on air-gapped systems, restricting sensitive credentials and payment capabilities, and using malware-scanning services like VirusTotal.

MITRE Techniques

  • [T0001 ] Prompt Injection – The article describes prompt injection as a technique where hidden instructions on a webpage influence the agent’s behavior, enabling unauthorized actions or data disclosure (‘Prompt injection remains an ongoing issue—where instructions for the AI are hidden on a webpage, completely invisible to the user but easily readable by the AI.’)
  • [T0002 ] Infostealer / Credential Access – Malicious skills acting as infostealers are described as collecting login credentials, payment information, and access tokens from the assistant/operator and sending them to attackers (‘One of the most frequently downloaded skills is effectively an infostealer, whose sole purpose is to send data about the assistant’s operator directly to the attackers.’)

Indicators of Compromise

  • [No specific IOCs ] The article does not list concrete IP addresses, file hashes, domains, or filenames; it references malicious “skills,” token consumption, and the use of VirusTotal for scanning but provides no explicit IOCs to enumerate.

Read more: https://www.gdatasoftware.com/blog/2026/02/38368-open-claw-risks